In an embodiment, a processor for Return Oriented Programming (ROP) detection includes at least one execution unit; a plurality of event counters, each event counter associated with a unique type of a plurality of types of control transfer events; and a ROP detection unit. The ROP detection unit may be to: adjust a first event counter in response to detection of a first type of control transfer events; in response to a determination that the first event counter exceeds a first threshold, access a first configuration register associated with the first event counter to read configuration data; identify a set of ROP heuristic checks based on the configuration data read from the first configuration register; and perform each ROP heuristic check of the identified set of ROP heuristic checks. Other embodiments are described and claimed.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A machine-readable device comprising data, the data, when used by at least one machine, to cause the at least one machine to fabricate at least one integrated circuit that is to at least: adjust respective ones of a plurality of event counters of a processor based on respective types of detected control transfer events, respective ones of the events counters associated with respective ones of a plurality of configuration registers, and respective ones of the configuration registers to store data identifying respective ones of a plurality of sets of heuristic checks, a first one of the sets of heuristic checks different from a second one of the sets of heuristic checks; in response to a determination that a first one of the event counters satisfies a first threshold, access a first one of the configuration registers, the first one of the configuration registers associated with the first one of the event counters, and the first one of the configuration registers included in the processor; read, from the first one of the configuration registers, a first check bitmap for the first event counter, the first check bitmap to identify a first plurality of check registers, wherein respective bits of the check bitmap are associated with respective check registers including the first plurality of check registers, and respective settings of the respective bits are included in the check bitmap to identify the first plurality of check registers; access the first plurality of check registers based on the first check bitmap, respective ones of the first plurality of check registers to store data corresponding to respective ones of the heuristic checks included in the first one of the sets of heuristic checks, and the respective ones of the heuristics checks corresponding to respective, different types of heuristic checks; perform the heuristic checks included in the first one of the sets of heuristic checks; determine whether a possible ROP attack is occurring based on results of performing the heuristic checks included in the first one of the sets of heuristic checks; and provide an indication of a possible ROP attack to an anti-malware software application that is to perform an action responsive to identification of the ROP attack, the action to include at least one of monitoring suspected code, quarantining suspected code, notifying at least one of an administrator or a management system, halting execution of a system, or shutting down the system.
2. The machine-readable device of claim 1 , wherein one of the heuristic checks included in the first one of the sets of heuristic checks includes determining whether a stack pointer is within valid boundaries of a stack region.
3. The machine-readable device of claim 1 , wherein one of the heuristic checks included in the first one of the sets of heuristic checks includes determining whether an instruction pointer is within a set of valid memory address ranges for the instruction pointer.
4. The machine-readable device of claim 1 , wherein one of the heuristic checks included in the first one of the sets of heuristic checks includes determining whether an instruction pointer is pointing to a valid Application Programming Interface (API) function.
5. The machine-readable device of claim 1 , wherein the at least one integrated circuit is to read, from the first one of the configuration registers: an enable bit indicating whether the first one of the event counters is active; and a threshold value for the first one of the event counters.
6. A processor comprising: at least one execution unit, the at least one execution unit associated with an operating system; a plurality of event counters, respective ones of the event counters to count respective types of control transfer events; a plurality of configuration registers, respective ones of the configuration registers to store configuration data for the respective ones of the event counters, a first one of the configuration registers associated with a first one of the event counters to store first configuration data to identify first heuristic checks, a second one of the configuration registers associated with a second one of the event counters to store second configuration data to identify second heuristic checks, the first heuristic checks different than the second heuristic checks; and a Return Oriented Programming (ROP) detection unit to: adjust a first one of the event counters in response to detection of a first type of the control transfer events; and in response to a determination that the first one of the event counters satisfies a first threshold: read the first configuration data stored in the first one of the configuration registers to identify the first heuristic checks, wherein the first configuration data stored in the first configuration register includes a check bitmap, respective bits of the check bitmap are associated with respective ones of a plurality of heuristic checks, the plurality of the heuristic checks include the first heuristic checks and the second heuristic checks, and respective settings of the respective bits are included in the check bitmap to identify the first heuristic checks; access a first set of heuristic check registers based on the check bitmap, respective ones of the first set of heuristic check registers to store data corresponding to respective types of heuristic checks; perform the first heuristic checks; identify a possible ROP attack based on results of performing the first heuristic checks; and provide an indication of the possible ROP attack to the execution unit, the execution unit to cause at least one of the operating system or protection software to take an action responsive to identification of the possible ROP attack, the action to include at least one of monitoring suspected code, quarantining suspected code, notifying at least one of an administrator or a management system, halting execution of a system, or shutting down the system.
7. The processor of claim 6 , further including firmware, and the ROP detection unit to perform the first heuristic checks by triggering one or more functions of the firmware.
8. The processor of claim 6 , wherein the first configuration data read from the first one of the configuration registers further includes: an enable bit to indicate whether the first one of the event counters is active; and a threshold field to store the first threshold for the first one of the event counters.
9. The processor of claim 6 , further including a stack, the first heuristic checks including a boundary check to determine whether a stack pointer of the stack is within a set of valid boundaries of a region of the stack.
10. The processor of claim 6 , further including memory to store instructions, the first heuristic checks including a range check to determine whether an instruction pointer is within a set of valid memory address ranges of the memory.
11. The processor of claim 6 , wherein the first heuristic checks a include an Application Programming Interface (API) check to determine whether an instruction pointer associated with an instruction stack is pointing to a valid API function.
12. A system comprising: a processor including a plurality of cores, a first one of the cores including: a plurality of event counters, respective ones of the event counters to count respective types of control transfer events; a plurality of configuration registers, respective ones of the configuration registers to store configuration data for the respective ones of the event counters, a first one of the configuration registers associated with a first one of the event counters to store first configuration data to identify first heuristic checks, a second one of the configuration registers associated with a second one of the event counters to store second configuration data to identify second heuristic checks, the first heuristic checks different than the second heuristic checks; a plurality of check registers, respective ones of the check registers to store data associated with respective ones of a plurality of heuristic checks, the plurality of heuristic checks including the first heuristic checks and the second heuristic checks; and a Return Oriented Programming (ROP) detection unit to: adjust the first one of the event counters in response to detection of a first one of the types of control transfer events; and when the first one of the event counters satisfies a first threshold: access the first one of the configuration registers; read, from the first one of the configuration registers, the first configuration data for the first one of the event counters, wherein the first configuration data stored in the first configuration register includes a check bitmap, respective bits of the check bitmap are associated with respective ones of the heuristic check registers, and respective settings of the respective bits are included in the check bitmap to identify the first heuristic checks; access a first set of heuristic check registers based on the check bitmap to identify the first heuristic checks based on the first configuration data read from the first configuration register; identify a possible ROP attack based on results of the first heuristic checks; and cause an anti-malware application to perform an action responsive to identification of the possible ROP attack, the action to include at least one of monitoring suspected code, quarantining suspected code, notifying at least one of an administrator or a management system, halting execution of a system, or shutting down the system; and memory coupled to the processor.
13. The system of claim 12 , wherein the plurality of heuristic checks includes a first check to determine whether a stack pointer is within valid boundaries of a stack region.
14. The system of claim 12 , wherein the plurality of heuristic checks includes a first check to determine whether an instruction pointer is within a set of valid memory address ranges for the instruction pointer.
15. The system of claim 12 , wherein the bits of the check bitmap associated with the first heuristic checks are set differently than the bits of the check bitmap not associated with the first heuristic checks.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 30, 2016
October 8, 2019
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.